Danish company Secunia posted details of the alleged flaw, which could be used in combination with an earlier "spoofing" flaw reported by the company.
A Microsoft representative said the company was investigating the report but was not aware of any exploits involving the supposed flaw. The representative also echoed previous criticisms of security researchers publicising software flaws before software makers can adequately investigate and remedy the problems. "Microsoft continues to encourage the responsible disclosure of vulnerabilities," the representative said.
The new flaw could allow the owner of a malicious Web site to deliberately misidentify a downloadable file, so a malicious program file could be made to appear as if it were a secure file. Visitors might think they were downloading a document based on Adobe's portable document format (PDF), for instance, but actually receive a malicious, self-executing program such as the new MyDoom worm.
Secunia's advisory includes an online test showing how the flaw could be exploited. The company said it identified the hole in the current version 6 of Internet Explorer, but previous releases also could be affected. Secunia representatives did not immediately respond to a request for comment.
The alleged flaw could be particularly effective if used in combination with another IE hole identified by Secunia last month. That flaw lets Web site owners disguise the identity of their site by displaying a false address in the Internet Explorer address and status bars.
Microsoft has yet to release a patch for that vulnerability, although it has posted a bulletin with tips for avoiding such "spoofed" sites. Among the tips are not clicking hyperlinks. "Rather, type the URL of your intended destination in the address bar yourself," Microsoft advises.
Microsoft's delay in addressing that flaw has drawn criticism from security experts and led an open-source programming group to create its own patch for the flaw.
Microsoft last year instituted a new policy for patching security holes, deciding to cluster fixes in a single monthly release rather than distributing piecemeal updates.
Talkback
Can we please get one thing out into the open. The URL spoofing issue is not a Microsoft problem, it is the standard behaviour specified in the relevant RFCs. It has been shown to occur on other browsers. The comments in this article only helped spread FUD